b'                            AUDIT OF SBA\xe2\x80\x99S LOAN\n                       APPLICATION TRACKING SYSTEM\n\n                          AUDIT REPORT NUMBER 4-18\n\n                                    APRIL 5, 2004\n\n\n\n\nThis report may contain proprietary information subject to the provisions of 18 USC\n1905 and must not be released to the public or another agency without permission of the\nOffice of Inspector General.\n\x0c                   U.S. SMALL BUSINESS ADMINISTRATION\n                       OFFICE OF INSPECTOR GENERAL\n                           WASHINGTON, D.C. 20416\n\n\n                                                             AUDIT REPORT\n                                                 Issue Date: April 5, 2004\n                                                 Number: 4-18\n\n\nTo:           Stephen D. Galvan\n              Chief Operating Officer\n              Chief Information Officer\n\n              Ronald E. Bew\n              Office of Capital Access\n              Associate Deputy Administrator\n\n              Michael E. Pappas\n              Associate Administrator for Field Operations\n\n              Thomas A. Dumaresq\n              Chief Financial Officer\n\n\nFrom:         Robert G. Seabrooks (FOIA Ex. 6)\n              Assistant Inspector General for Audit\n\nSubject:      Audit of SBA\xe2\x80\x99s Loan Application Tracking System\n\n        We have completed an application controls review of the Loan Application\nTracking System (LATS) using Federal Information System Controls Audit Manual\n(FISCAM) guidance. Application controls are the structure, policies, and procedures that\napply to separate, individual application systems, such as accounts payable, inventory,\npayroll, grants, or loans.\n\n                                   BACKGROUND\n\n       SBA\xe2\x80\x99s Loan Application Tracking System (LATS) is a subsystem of SBA\xe2\x80\x99s Loan\nAccounting System (LAS). LAS is SBA\xe2\x80\x99s major application for tracking and accounting\nfor SBA loan portfolio activity. LATS was internally designed over 20 years ago using\nthe computer programming language COmmon Business Oriented Language (COBOL).\nLATS supports LAS by providing a data entry system for SBA\xe2\x80\x99s loan application\ntracking process.\n\x0c       Upon receipt of SBA 7(a) and 504 loan applications at agency field offices, SBA\nloan personnel enter necessary loan information into LATS for tracking and approval\npurposes. Key functions of LATS are the establishment of a loan application record and\ngeneration of a loan number upon loan approval. This loan number uniquely identifies\nthe SBA loan throughout its life. After loan approval, LATS information is transmitted\nto LAS.\n\n                  OBJECTIVES, SCOPE AND METHODOLOGY\n\n       The objective of this audit was to determine whether SBA LATS financial system\napplication controls were adequate to ensure the integrity and confidentiality of system\ndata. Specifically, we assessed the adequacy of SBA\xe2\x80\x99s LATS application controls in the\nfollowing areas:\n\n           \xe2\x80\xa2   Authorization Controls\n           \xe2\x80\xa2   Completeness Controls\n           \xe2\x80\xa2   Accuracy Controls\n           \xe2\x80\xa2   Controls over integrity of processing and data files\n\n        To accomplish these objectives we evaluated and tested the effectiveness of the\nLATS application controls by observing the controls in operation at the SBA Washington\nDistrict Office and SBA Headquarters offices, examining related documentation and\ndiscussing the controls with knowledgeable personnel and system users. We followed\nFISCAM guidance to conduct our review. Additionally, we reviewed the FISCAM\nreports completed by Cotton & Company LLP, for FY\xe2\x80\x99s 2000, 2001 and 2002.\nFieldwork was performed at SBA\xe2\x80\x99s Central Office in Washington, DC, from June 2003\nto August 2003. Our audit was conducted in accordance with generally accepted\nGovernment Auditing Standards.\n\n                                   AUDIT RESULTS\n\n        SBA has generally integrated adequate application controls in the design and\noperation of LATS. [FOIA Ex. 2 & 5]. Additionally, we determined that the ownership\nof SBA\xe2\x80\x99s LAS is not adequately represented by responsible SBA offices operating the\nsystem, and that software changes to both LATS and LAS could be better coordinated by\nestablishing a Configuration Control Board (CCB).\n\nFinding 1: Computer Desktop Access to the LATS Transaction Screens is not\n           Secure\n\n       [FOIA Ex. 2 & 5]\n\n\n        Chapter 3 of SBA Standard Operating Procedure (SOP) 90-47 \xe2\x80\x93 Automated\nInformation Systems Security Policies states that passwords must be used to authenticate\naccount users. Additionally, Section AN-2.1 of the GAO FISCAM states that financial\n\n\n\n                                             2\n\x0cinformation system operators should be required to use a unique password and\nidentification code before being granted access to a system.\n\n       [FOIA Ex. 2 & 5]\n\n        The Office of Financial Assistance (OFA) owned and operated Electronic\nTransfer (E-tran) System is capable of replacing LATS in SBA\xe2\x80\x99s LAS. The\nE-tran Gateway is part of SBA\xe2\x80\x99s E-loan initiative to improve back-office loan functions\nimpacting customer service. E-tran is currently in operation under an OFA sponsored\npilot program with selected lenders submitting SBA Express guaranty loan requests\nelectronically. E-tran offers improved security controls over LATS by implementing\n128-bit encryption for all file transfers. Additionally, E-tran authenticates users through\nunique user ID and password controls.\n\nRecommendation: We recommend that the Chief Operating Officer in conjunction with\nthe Office of Capital Access, the Office of the Chief Information Officer and the\nAssistant Administrator for Field Operations:\n\n1A.    Implement an interim security control to prevent unauthorized access to LATS, or\n\n1B.    Replace LATS with E-tran for field office utilization in the submission of SBA\n       loans after the certification and accreditation of the E-tran system has been\n       completed.\n\nManagement Response:\n\n         The Chief Operating Officer / Chief Information Officer and Chief Financial\nOfficer agreed with recommendation 1B and stated that they will coordinate with the\nAssociate Deputy Administrator for Capital Access and the Assistant Administrator for\nField Operations to replace LATS with E-tran for all loans processed outside the SBA\ndistrict offices. SBA\xe2\x80\x99s complete response is included in Attachment 1.\n\n\n\n\nAssessment of Management Response:\n\n        We modified our recommendation and addressed it to the Chief Operating Officer\nsince he responded to the audit report as head of SBA operations. SBA comments are\ngenerally responsive to the audit recommendation. However, SBA officials need to\nclarify their response for District Offices and how loans will be more securely entered\ninto the Loan Accounting System via the District Offices. Such clarification will be\naddressed during the audit follow-up process.\n\nFinding 2: Ownership of the Loan Accounting System is not Appropriately\n           Assigned\n\n\n\n                                             3\n\x0c        Ownership of LAS does not accurately reflect the offices which actually own the\nsystem. SBA security documentation identified that SBA\xe2\x80\x99s Chief Financial Officer owns\nand has overall responsibility for LAS. This occurred because ownership of LAS was\ninappropriately designated to the Chief Financial Officer in March of 2001. As a result,\noperational units within SBA including the Office of Capital Access, Office of Field\nOperations, Office of Disaster Assistance and the Office of Chief Information Officer do\nnot currently have a formal direct stake in the operations, risks and capabilities of LAS.\nSince responsibilities have not been appropriately designated, coordination between SBA\noffices for changes to the LAS environment is therefore, not effectively administered.\n\n        OMB Circular A-130, Appendix 3, Section B.3.4. requires that for major\napplications, a management official shall provide written authorization for use after\nconfirming that its security plan as implemented adequately protects the application.\nManagement authorization implies accepting the risk of each system used by the\napplication. Additionally, SBA\xe2\x80\x99s System Development Methodology (SDM) requires the\nestablishment of a Change Control Board (CCB) for all new application projects.\n\n        A computer system CCB identifies the software programming baseline. The CCB\nis responsible for identifying proposed changes to the system and the priority for making\nthose changes to system computer programs. The CCB is also responsible for testing and\napproving software changes made to the system before those changes are implemented.\nThe SDM states that CCB members should be comprised of program officials, system\nusers, and all other organizational areas with a direct interest in the system. A CCB\nshould be implemented for LAS to facilitate change coordination and develop long-term\nstrategies for modernization.\n\n       SBA\xe2\x80\x99s SDM recognizes the need for more than one owner by mandating a\nconfiguration control board for all system owners. We believe that ownership should be\ndesignated to all relevant SBA offices to ensure required system functionality and support\nof owner interests.\n\n\n\n\nRecommendations:\n\n2A.    We recommend that the Chief Information Officer identify and require all SBA\n       program offices with partial ownership of LAS and its subsystems to properly\n       accredit or authorize the LAS for production for the next system accreditation.\n\n2B.    We recommend that the Chief Information Officer, in coordination with program\n       officials from the Office of Chief Financial Officer, Office of Capital Access,\n       Office of Field Operations and Office of Disaster Assistance, establish a Change\n       Control Board for SBA\xe2\x80\x99s LAS.\n\n\n\n\n                                            4\n\x0cManagement Response:\n\n       The Chief Operating Officer / Chief Information Officer and Chief Financial\nOfficer agreed with recommendations 2A and 2B except noted that the Chief Information\nOfficer, not the Chief Financial Officer should establish a Configuration Control Board\n(CCB) for SBA\xe2\x80\x99s Loan Accounting System.\n\nAssessment of Management Response:\n\n     We agreed with SBA\xe2\x80\x99s request and amended our recommendation accordingly.\nSBA Management\xe2\x80\x99s comments are responsive to recommendations 2A and 2B.\n\n                                         ***\n       The findings included in this report are the conclusions of the Auditing Division\nbased upon the auditors\xe2\x80\x99 review of application controls for the Loan Application\nTracking System (LATS). The findings and recommendations are subject to review and\nimplementation of corrective action by your office following the existing Agency\nprocedures for audit follow-up and resolution.\n\n       This report may contain proprietary information subject to the provisions of 18\nUSC 1905. Do not release to the public or another agency without permission of the\nOffice of Inspector General\n\n        Should you or your staff have any questions, please contact Jeffrey R. Brindle,\nDirector, Information Technology and Financial Management Group, at (202) 205-[FOIA\nEx. 6].\n\n\nAttachments\n\n\n\n\n                                            5\n\x0c                      U.S. SMALL BUSINESS ADMINISTRATION\n                          OFFICE OF INSPECTOR GENERAL\n                              WASHINGTON, D.C. 20416\n\n\n\nDate:            March 30, 2004\n\nTo:              Robert Seabrooks, AIG for Auditing\n\nFrom:            Stephen Galvan, COO/CIO [FOIA Ex. 6]\n                 Thomas Dumaresq, CFO [FOIA Ex. 6]\n\nSubject: Audit of SBA\xe2\x80\x99s Loan Application Tracking System\n\n         SBA\xe2\x80\x99s Loan Application Tracking System (LATS) is a subsystem of SBA\xe2\x80\x99s Loan Accounting\nSystem (LAS). Based on a recent audit of LATS, the OIG has determined that SBA has generally\nintegrated adequate application controls in the design and operation of LATS. However, the OIG\nhighlighted two problems: (1) [FOIA Ex. 2 & 5] and (2) Ownership of LAS is not adequately\nrepresented by responsible SBA offices operating the system and that a Configuration Control Board\n(CCB) should be established for SBA\xe2\x80\x99s LAS.\n\n        OIG Recommendations:\n1A.     Implement an interim security control to prevent unauthorized access to LATS, OR\n\n1B.     Replace LATS with E-tran for field office use in the submission of SBA loans after the\n        certification and accreditation of the E-tran system has been completed.\n\n2A.     Recommend that the CIO identify and require all SBA program offices with partial ownership of\n        LAS and its subsystems to properly accredit or authorize the LAS for production for the next\n        system accreditation.\n\n2B.     Recommend that the CFO, in coordination with program officials from the OCIO, OCA, OFO,\n        and ODA establish a Change Control Board (CCB) for SBA\xe2\x80\x99s LAS.\n\n        SBA Responses:\n        We agree with 1B for all loans processed outside the SBA district offices and will work with\n        the ADA for Capital Access and the Assistant Administrator for Field Operations to replace\n        LATs with E-tran when appropriate.\n\n        We agree with both 2A and 2B, with the modification that the CIO, not the CFO (as\n        suggested by the OIG audit), should establish a Configuration Control Board (CCB) for\n        SBA\xe2\x80\x99s LAS.\n\x0c                                         REPORT DISTRIBUTION\n\n\nRecipient                                                                                                 No. of Copies\n\nOffice of the Chief Financial Officer\nAttention: Jeffrey Brown ........................................................................................1\n\nGeneral Counsel.......................................................................................................3\n\nU.S. General Accounting Office..............................................................................1\n\x0c'